**Updated** RSA Breached: SecurID Affected

Before the hype gets out of hand, here’s what we know, what we don’t, what you need to do, and some questions we hope are answered:

What we know

According to the announcement, RSA was breached in an APT attack (we don’t know if they mean China, but that’s well within the realm of possibility) and material related to the SecureID product was stolen.

The exact risk to customers isn’t clear, but there does appear to be some risk that the assurance of your two factor authentication has been reduced.

RSA states they are communicating directly with customers with hardening advice. We suspect those details are likely to leak or become public, considering how many people use SecurID. I can also pretty much guarantee the US government is involved at this point.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

What we don’t know

We don’t know the nature of the attack. They specifically referenced APT, which means it’s probably related to custom malware, which could have been infiltrated in a few different ways – a web application attack (SQL injection), email/web phishing, or physical access (e.g., an infected USB device – deliberate or accidental). Everyone will have their favorite pet theory, but right now none of us know cr** about what really happened. Speculation is one of our favorite pastimes, but largely meaningless other than as entertainment, until details are released (or leak).

We don’t know how SecurID is affected. This is a big deal, and the odds are just about 100% that this will leak… probably soon. For customers this is the most important question.

What you need to do

If you aren’t a SecurID customer… enjoy the speculation.

If you are, make sure you contact your RSA representative and find out if you are at risk, and what you need to do to mitigate that risk. How high a priority this is depends on how big a target you are – the Big Bad APT isn’t interested in all of you.

The letter’s wording might mean the attackers have a means to generate certain valid token values (probably only in certain cases). They would also need to compromise the password associated with that user. I’m speculating here, which is always risky, but that’s what I think we can focus on until we hear otherwise. So reviewing the passwords tied to your SecurID users might be reasonable.

Open questions

While we don’t need all the details, we do need to know something about the attacker to evaluate our risk. Can you (RSA) reveal more details?

How is SecurID affected and will you be making mitigations public?

Are all customers affected or only certain product versions and/or configurations?

What is the potential vector of attack?

Will you, after any investigation is complete, release details so the rest of us can learn from your victimization?

Finally – if you have a token from a bank or other provider, make sure you give them a few days and then ask them for an update.

If we get more information we’ll update this post. And sorry to you RSA folks… this isn’t fun, and I’m not looking forward to the day it’s our turn to disclose.

Update 19:20 PT: RSA let us know they filed an 8-K. The SecureCare document is linked here and the recommendations are a laundry list of security practices… nothing specific to SecurID. This is under active investigation and the government is involved, so they are limited in what they can say at this time. Based on the advice provided, I won’t be surprised if the breach turns out to be email/phishing/malware related.

Comments

Fri, June 24, 2011 1:36pm

Bob H is correct. Admins need to persistently take an advanced look at their data. Back when I had a job, I would spend 1 Hr. a day doing this. You can rely on this tool and that tool. The tools are just that, tools. It’s great to have the help; but, a company needs a trained Admin who looks at the data each day. It’s kind of a dull job.

I speculate it is more likely that RSA had a weak system that got broken into. The dual key customer information was not protected well enough. Using the info will be tough because the perpetrator will need to do a brute force attack to find the matching password.

Good security starts at home. Don’t outsource your systems to some opaque corporation. RSA/EMC is the one who can’t be trusted.

By nightjoe

Tue, March 22, 2011 4:08pm

It’s painfully obvious this situation is serious. Typically when executive management communicates and when the communication is vague (at best), the issue is something more serious. I’m sure RSA is scrambling to make changes to their technology. In the mean time, we (customers) sit in a “window of opportunity.” Perhaps at some point, Wikileaks will correlate all the data and present some meaningful information.

By Jason

Tue, March 22, 2011 5:55am

One point, what went wrong with other RSA products such as DLP and RSA envision, where these products should be able to detect such type of attacks, even though ATP is a slow attack.

Correct me if i am wrong, DLP should be able to detect transferring of sensitive information, envsion should detect anomalies in the logs and correlate all event during the period of attack.

Thoughts please

By tamer

Sun, March 20, 2011 8:16pm

We don’t know if this was really an APT. EMC would like to make us believe that this was “extremely sophisticated cyber attack” which is the only way they can justify the breach. This is damage control for EMC right now and there is only two ways they can spin this. Admit of bad security practices or make us believe the extrimity and sophistication of this master plan to take over the world and that no one is safe. This is just a theory.

By Emir Ruzdic

Fri, March 18, 2011 8:27pm

It is safe to assume that this involves more than just about the algorithm/source code. The algorithm behind SecurID token code generation has been public for years now: it is AES-128 in EBC mode, used to hash the following 3 pieces of input:

1) A 128-bit token-specific random seed
2) 64-bit representation of the current date and time
3) Token serial number (32-bit)

The security of the scheme does not depend on the knowledge of the algorithm. If a database containing the mapping between token serial numbers and the random 128-bit seeds they were injected with were stolen, however, that would be a big problem.

<a >Reflections on Security</a>

By Jacob Gajek

Fri, March 18, 2011 4:47pm

The whole point of two factor authentication is two _indepenent_ authentication mechanisms. This very basic principal architecture is such that if one if completely comprimised, the other acts as a layer of protection. As such, if properly implemented, this really shouldn’t be a big deal to an individual corporation. For RSA, it means potentially re-distributing SecureID with new keys, and so understand for them this may be costly, but from a security perspective, if you are doing your job right, this is noteworthy but not front-page news.

By gonzarthegreat

Fri, March 18, 2011 1:08pm

APT is, when boiled down to it’s basic form, is a branding used to identify the current attack vectors organizations already experience, eg malware, rogueware, web vulnerabilities, etc. The one distinction about APT is the persistence nature and global scope of the attack scenario. Instead of infecting as many computers or files, for example, an APT’s target is more precise and targeted to learn as much about the target over a period of several months. Therefore, the current methods used as a defense are sufficient when used in conjunction with a proactive monitoring and auditing program.

By Mark Wireman

Fri, March 18, 2011 11:51am

Derek, one minor error, reference to “the” APT is a term of art with specific meaning, not a collective. If I tell you any more I’d have to kill you. :-) ‘nuff said?

A point about APTs in general, and “the” APT in particular is that the offense has gotten a big lead in this area, and they are eating our lunch. Bob Huber made a very good point. There are places where schools churn out students who produce the APT elements, practice against various targets, and have turned it into a pervasive reality. The need for a paradigm shift from defending the network to accepting it is compromised has been voiced by some observers, now it needs to be embraced by all of us.

By Unnamed Source

Fri, March 18, 2011 11:42am

Were the keys that reside in each token compromised? Will EMC RSA replace those comprimised tokens for free?

Shouldn’t the EMC SIEM have detected this APT attack?

By OLsen Gripper

Fri, March 18, 2011 8:49am

While you guessed at the meaning of the term “Advanced Persistent Threat”, I Googled it and found the correct definition:

An Advanced Persistent Threat (APT) involves advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government. The global landscape of APTs from all sources is sometimes referred to in the singular as “the” APT.

By Derek Brooks

If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.